1827567 – [RFE] Octavia. Allow adding security groups to LB's VIP ports

This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .

Bug 1827567 - [RFE] Octavia. Allow adding security groups to LB's VIP ports

Summary: [RFE] Octavia. Allow adding security groups to LB's VIP ports

Keywords:
Status:	CLOSED MIGRATED
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-octavia
Sub Component:
Version:	16.0 (Train)
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	OSP Team
QA Contact:	Bruna Bonguardo
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-04-24 08:37 UTC by Alex Stupnikov
Modified:	2024-12-20 19:03 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-10-31 12:44:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	723735	None	NEW	Share the LB security group with the LB owner	2023-08-08 14:42:16 UTC
Red Hat Issue Tracker	OSP-2374	None	None	None	2023-10-31 12:48:59 UTC
Red Hat Issue Tracker	OSP-30109	None	None	None	2023-11-14 11:58:22 UTC
Red Hat Issue Tracker	OSP-30429	None	None	None	2023-11-14 12:01:57 UTC

Description Alex Stupnikov 2020-04-24 08:37:11 UTC

Description of problem:

AWS allows its customers to configure inbound traffic filters on VMs to allow traffic from load balancers only. In OpenStack we can modify VM's security group and add a rule to allow certain type of traffic from some other security group. It is possible to use LB's VIP port's SG and achieve the same goal.

The problem is that load balancer's security groups for VIP ports are generated dynamically and described configuration process is not straighforward: customers need to add SG rule after every LB is created, get its SG ID and modify VM's SG. What if there are different groups of VMs?

It would be great to allow customers to add some existing SG to LB's VIP port when LB is created or modified (in addition to default SG generated automatically). After such change customer will have to create custom SG, set VM's SG rule only once and specify some extra SG when LB is created or modified.

Comment 5 Red Hat Bugzilla 2024-03-14 04:25:02 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.